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Abstract 

Models for Information Assurance Education and Outreach (MIAEO) is a NSF-funded, 
three-year project to support hands-on explorations in network security and cryptography 
through Research Experience Vitalizing Science -University Program (REVS-UP) at California 
State University, Bakersfield. In addition, the program incorporates components of curriculum 
development for undergraduate students and public forums for community members. During the 
second year of grant operation, MIAEO supported completion of five research projects in the 
Information Assurance domain. The hands-on exploration occurred during a four-week summer 
section and involved two professors, two university student assistants, two K-12 teachers, and 18 
high school students. Besides evaluating the REVS-UP impact, this report includes assessment 
of compelling evidence in program development across the levels of Intended Curriculum , 
Implemented Curriculum , and Attained Curriculum. Feedback from the community outreach 
events has been gathered to show significant improvement of service outcome over last year. 

The report concludes with four recommendations to sustain the program effectiveness in the 


third year. 
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Models for Information Assurance Education and Outreach: 

A Report on Year 2 Implementation 

Models for Information Assurance Education and Outreach (MIAEO) is a three-year 
project funded by NSF to enhance cybersecurity through research exploration, program 
development, and community outreach. Built on institutional resources at California State 
University, Bakersfield (CSUB), MIAEO incorporates three core components to articulate 
cybersecurity research in higher education: 

(1) Summer Bridge Investigation: A four-week Research Experience Vitalizing Sciences - 
University Program (REVS-UP) to involve high school students, K-12 teachers, and 
university student assistants in hands-on inquiry under the guidance of CSUB professors; 

(2) College Curriculum Development: A collaborative effort to strengthen multidisciplinary 
Information Assurance (IA) education for undergraduate students in Computer Science 
(CS) and Global Intelligence and National Security (GINS) programs; 

(3) Community Education Opportunity: Engagement of community partners to create a free 
course and a lecture series toward broad increase of IA literacy. 

All three components have been launched since the program inception, which led to 
completion and dissemination of five research projects in the IA field last year: 

(1) Crack Me If You Can: Using GPU Machines to Crack Passwords 

(2) Defense Against Human Hacking 

(3) Zero Knowledge, We Know Everything ... ! 

(4) Elliptic Enigma 

(5) Factor Fiction 

(see Appendix lof Year 1 Evaluation Report at http://www.csub.edu/~jwang/MIAE01.pdf) 
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Furthermore, outreach activities were extended to involve local high schools and communities 
during the first year of grant implementation: 

MIAEO has invited 18 high school students, two K-12 teachers, and two CSUB student 
assistants to conduct research explorations in the fields of network security and 
cryptography. . . . MIAEO faculty worked on curriculum developments in Information 
Assurance (IA) across multiple departments, and organized a public symposium to 
expand IA education for approximate 120 community members. (Wang, 2013, p. 2) 
Stipulated by the original budget allocation for this NSF award (Grant No. DUE - 
1241636), this report is prepared to evaluate MIAEO operation in the second year. Stufflebeam 
(2002) pointed out, “evaluation’s most important purpose is not to prove, but to improve” (p. 2). 
To address the dual emphases, this report not only includes a broad scope of evidence to assess 
the results-based accountability according to the original proposal, but also incorporates new 
recommendations to support program improvement toward the third year. 

Literature Review 

IA is an area of rapid development. Although Year 1 report included a review of 
research literature, more articles and reports have been disseminated in Academic Year (AY) 
2013-14. Hence, a brief review of the new literature is needed to integrate the program 
evaluation with professional practice. 

As an important funding source for IA capacity building, NSF renewed its call for 
proposals in 2014 to support “research on the teaching and learning of cybersecurity” through the 
CyberCorps(R): Scholarship for Service (SFS) program (NSF 14-586, ^[. 4). MIAEO was funded 
by the SFS program to maintain a close alignment with the national needs. In particular, 
research, teaching , and learning were highlighted as the key components for REVS-UP 
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activities. Gebauer (2014), the REVS-UP director across multiple disciplines, reconfirmed that 
“the program enables CSUB faculty to advance their research, and CSUB students get the 
opportunity to learn by teaching” ( ( J[. 4). 

Beyond the boundary of higher education, REVS-UP includes an outreach component to 
involve students and teachers from local high schools. Delker (2014) found that a properly 
designed summer program can “get more students interested in choosing computer science and 
cybersecurity as a career, leading them to get involved in computer security groups such as 
Capture the Flag and CyberPatriot in high school” (p. 1). Another research report also indicated 
the need to attract high school students in the field of science, technology, engineering, and 
mathematics (STEM) (Chen & Soldner, 2014). REVS-UP has been running at CSUB each 
summer since 2007 to support STEM education. The track record facilitated recruitment of 
quality students and teachers from high school to participate in cybersecurity investigations at 
CSUB. 

As the only state university within a radius of two-hour driving, CSUB incorporates 
community services in its mission statement, i.e., “The University collaborates with partners in 
the community to increase the region's overall educational attainment, enhance its quality of life, 
and support its economic development. ” [1] In particular, community involvement is crucial in the 
IA field to reduce vulnerability of cyberspace infrastructure in this traditionally-underserved 
region. McDaniel (2013) concurred that “Partnerships with higher education institutions are 
essential because these institutions offer undergraduate and graduate programs that prepare 
graduates for positions in the government cybersecurity workforce and the private sector in 
support government cybersecurity goals” (p. 320). In MIAEO, the community need is addressed 


[1] Source: http://www.csub.edu/about_csub/mission/ 
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by a component of College Curriculum Development to strengthen IA education for 
undergraduate students in the local CS and GINS programs. 

Bureau of Labor Statistics forecasted employment growth of 22% between 2010 and 
2020 for information security analysts (Lockard & Wolf, 2012). Prior to the period of data 
projection, Chai (2009) noted that “there is a shortage of qualified personnel, which is a factor 
that contributes greatly to the society’s vulnerability to various cyber threats” (p. ix). Given the 
variation of cybersecurity issues, the original proposal of MIAEO suggested a multiple- 
disciplinary approach to fill a void in the existing IA degree programs: 

Most information assurance degrees focus purely on the technical aspects of the field, 
neglecting criminal justice, political science, and intelligence skills. The proposed 
curriculum would combine the strengths of both existing programs [CS and GINS] to 
create well-rounded graduates with a broad base of knowledge, (see the MAIEO 
proposal: project summary) 

The interdisciplinary root further strengthens program engagements with the general 
public, and thus, supports the community outreach component of MIAEO. In contrast, “the 
actual SFS solicitation requires only that an institution ‘provide clearly documented evidence of 
a strong existing academic program in cybersecurity’” (Hoffman & Toregas, 2014, p. 10). No 
interdisciplinary features were solely demanded in the NSF requirement, nor did the community 
outreach play a central role in the NSF announcement. In this regard, MIAEO remains an 
innovative feature in comparison to other projects in this field. 

Meanwhile, the recent literature indicates a strong need for educating the public on 
importance of complying with applicable cyberspace safeguards in various fields (McDaniel, 
2013). “With the amplified awareness of rising cyber security needs, universities are increasing 
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their curricula to include more cyber and security related courses to meet this intensified 
demand” (Souza, 2014, p. 28). Because “Institution outputs should be matched to employer 
needs” (Hoffman & Toregas, 2014, p. 4), the community engagement reciprocally enriches 
learning opportunities for college students to understand employment market in the local context. 

By definition, “assessment” depicts a process of fact findings while “evaluation” includes 
more emphasis on the value judgment (Best & Kahn, 2005). In Year 1 report, the value of 
MIAEO was examined in a five-page section, “Creative Features of MIAEO” (see Wang, 2013, 
p. 5-9). New literature has been reviewed in this section to reconfirm the program value this 
year. As a result, a profound role has been identified for MIAEO to improve cybersecurity 
education on two fronts: (1) Enhancing the capacity of college-based learning through REVS-UP 
and IA program development, and (2) Increasing IA-literacy for the general public. 

Research Questions 

Hoffman and Toregas (2014) observed that “A previous report on SFS workforce 
development (Hoffman 2012) argued for a broader and more holistic approach to cybersecurity 
education” (p. 7). Led by university professors, a holistic approach has been taken in MIAEO to 
enrich learning and teaching opportunities at CSUB through collaborative efforts on 
cybersecurity research, curriculum development, and community outreach. To strengthen utility 
of this report, three research questions have been developed to guide data analyses for MIAEO 
evaluation: 

1. Built on the REVS-UP platform from Year 1, what is the impact from research inquiries 
in the 2014 summer session? 

2. What has been accomplished in curriculum development to enhance IA education? 
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3. What progress has been made to sustain the MIAEO commitment in community 

outreach? 

These questions are important for multiple stakeholders. Within the local community, 
REVS-UP has become a high profile program for K-12 teachers and high school students. It 
attracted 365 student applicants last year, and the rate of acceptance was as low as 30%. 
Curriculum development and community outreach are critical because of their alignment with 
MIAEO ’s goal to “develop models for information assurance and outreach that can be 
implemented on a regional and national scale to increase interest in the field of information 
assurance and increase the capacity for high-quality education. ” [1] Based on a premise that the 
whole could be larger than sum of its parts, analytic approaches are described in the method 
section to triangulate quantitative and qualitative findings for MIAEO evaluation. 

Methods 

Starting in 2013, NSF funding has provided additional support to offer opportunities of 
hands-on investigation in network security and cryptography for high school students, K-12 
teachers, and CSUB student assistants. To address the result-based accountability, poster 
presentations are examined to illustrate completion of the research agenda led by two professors. 
Meanwhile, scholarly presentations and transcript records are analyzed to document subject 
competency of CSUB student assistants. School ratings are examined for high school students 
who participated in the REVS-UP exploration. Questionnaire feedback is gathered from K-12 
teachers and high school students to cross-examine REVS-UP impact in the local context 
(Question 1). 

The IA program development for CS and GINS majors is assessed according to well- 


[1] p. 3 of http://www.cs.csub.edu/~melissa/cv.pdf 
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established curriculum theories. According to BEng (2010), curriculum development is 
categorized across multiple stages. At the first stage, Intended Curriculum (IC1) is considered in 
designing course syllabi. Based on IC1, Implemented Curriculum (IC2) is employed to describe 
what is taught in classrooms and mathematics/science labs. At the final stage, Attained 
Curriculum (AC) is examined to document student learning outcomes. This curriculum model 
was employed by the International Association for the Evaluation of Educational Achievement 
(IEA) in cross-national studies, such as the Third International Mathematics and Science Study 
(Plompp, 2014). In this report, it is adopted to examine what has been accomplished in program 
development for IA education (Question 2). 

Document analyses are conducted to assess the impact of two events, (1) Information 
Security Professional Speakers in 2014 April, and (2) Dissemination workshop in 2014 August. 
Participant feedback is gathered to evaluate effectiveness of these events in community outreach 
and information dissemination (Question 3). 


Findings 

REVS-UP Outcomes 

In the 2014 Summer session, two CSUB professors led a team of 18 high school students, 
two college student assistants, and two high school teachers to engage in hands-on exploration of 
IA research for four weeks. The team was divided evenly into two sections. Each section was 
brought together for about an hour in the morning to learn major security breaches from the past. 
Hands-on experiences were gained from the lab exploration during the remaining part of the day. 
This arrangement was designed to address the first recommendation of the last evaluation report, 
i.e., “Incorporate More Hands-on Activities” (Wang, 2013, p. 19). 
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Summary of Poster Presentations 

The persistent effort in REVS -UP exploration has resulted in completion of five poster 
presentations to fulfill research agenda of the leading professors (see Appendix 1). A content 
analysis of the poster projects is summarized in Table 1. 


Table 1: Content of Poster Presentations from REVS-UP 


Project Title 

Theme of Exploration 

Network Scanning 

Examine four programs, Nmap, Snort, TCP Dump, and Wireshark, 
to address network vulnerability issues. 

Bitcoin and the SHA-256 
Hashing Function 

Explore pros and cons of Bitcoin, a form of crypto currency, and its 
related SHA-256 security system. 

Integer Factorization 
Problem: An Attack on the 
RSA Public-Key 
Encryption Scheme 

Employ Maple 16 to examine Pollard’s Rho Algorithm and 
Pollard’s p-1 Factoring Algorithm, both are better options than 
Trial Division that does not work well with semi primes. 


Use multiple hash types, such as MD5, SHA1, SHA256, & SHA512, 

How Secure is Your 
Password? GPU Password 

to calculate time differences across four categories (Dictionary 
Attack, Combo Attack, Word+Pattern Attach, and Pattern+Word 

Cracking 

Attack) for specific single-chip processors, i.e., GPUs-NVIDIA and 
GPU s - ATEAMD . 

Social Engineering: 
Hacking the Human 
Element 

Treat human element as the weakest link in security protocols and 
apply Social Engineering tool to explore the methods of attackers 
through information gathering, communication modeling, pre- 
texting, and elicitation. 


Accomplishments of CSUB Student Assistants 

Without involvement of CSUB student assistants, one might wonder whether these topics 
were too complicated to engage high school students and K-12 teachers. Fortunately, the two 
student assistants have demonstrated strong subject competency to support the REVS-UP 
exploration. High school students reported, 

Without Dr. Danforth and Alfonso Puga, the basic curriculum would have been painfully 
boring. Thankfully, they allowed me to branch out on my own for some additional 


research. 
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I loved the knowledge and expertise of Dr. Danforth and Alfonso Puga. 

Alfonso Puga is a CSUB student assistant. He maintains a 3.22 GPA in Computer 
Science. His subject competency is illustrated by the following accomplishments this year: 

(1) The first place recognition from a poster competition in the computer sciences category at 
the 2014 Emerging Researchers National Conference (http://www.emerging- 
researchers.org/2014-2/) ; 

(2) The first place in the computer science and engineering category of CSUB Student 
Research Competition; 

(3) Delivery of presentations at the CSU-wide Student Research Competition and the CSUB 
Student Research Poster Competition. 

The other student assistant, Christian Elston, has a 3.92 GPA, and is recognized as the 
outstanding senior in Computer Engineering and the outstanding senior in Natural Sciences, 
Mathematics, and Engineering. Mr. Elston has been accepted by the master’s program in 
intelligence and national security at Institute of World Politics. The establishment of subject 
competency has addressed the second recommendation of the last evaluation report, i.e., “Recruit 
Qualified Teaching Assistants” (Wang, 2013, p. 20). 

Benefit to High School Students 

Although the majority of high school applicants were not accepted by REVS-UP, the stiff 
competition did not reduce diversity of high school students on demographic dimensions. 

Survey responses were gathered from 16 high school students who participated in the IA 
exploration sections. Figure 1 shows the student distribution across gender and ethnicity 
domains. The pattern indicates the project involvement of evenly-distributed male and female 
students from diversified ethnic backgrounds. 
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Figure 1 : Gender and Ethnicity Distribution of High School Respondents 



Students were asked to assess the impact of REVS-UP on their interest in cryptography 
and computer security. Figure 2 shows that REVS-UP has made the majority of high school 
students “interested” or “much more interested” in these fields. 


Figure 2: Enhancement of Student Interest Through REVS-UP 
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Students were asked to confirm their agreement to a statement, “I am interested in 
computer security/cyber security.” The responses were categorized on a five-point Likert scale 
(l=“strongly disagree”, 5=“strongly agree”). With the intervention of REVS-UP investigation, 
the average rating increased from 3.81 to 3.88 between pretest and posttest. 

The learning experience from REVS-UP is also linked to a change of student self- 
concept. Students indicated their agreement to the following statement, “I was prepared for this 
activity [hands-on REVS-UP exploration]”. The average response dropped from 3.69 in pretest 
to 3.63 in posttest on the Likert scale. Hence, the learning process seemed have made students 
more humble, which confirmed a well-known statement from Confucius, “The more a man 
leams, the more he kn ows his ignorance”. [1] 

The written feedback from students has been overwhelmingly positive in both pretest and 
posttest. Here is a sample of responses regarding student learning experiences: 

I have experience with web development and very basic network security. I want to 
explore this field as a career option. 

This activity interested me because it was something that I was looking to major in for 
college. 

I liked the opportunity to work alongside other students of my age on a project. It allows 
me to leam something I otherwise wouldn't learn in my high school. 

In addition to the individual learning outcomes, REVS-UP fosters development of student 
network across different high schools. Local schools are rated from l(the worst) to 10 (the best) 
at greatschools.org according to student academic performance. A parent elaborated that “In my 
mind a 10 is excellent test scores across the board, a 5 is slightly below average and a 1 is a 


[1] http://noveLischina.com.cn/vingvuwenxue/vinghmv/vinghanmingyanl5.htm 
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school where they shoot children for trying to use the library.” 111 In general, it was reported that 
“GreatSchools is the leading source of information on school performance in the country”. [2] 


Figure 3: REVS-UP Student Network across Different Schools. 
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Legend: (1 ) Gender: pink - female, blue - male; 

(2) School Rank: row 1 -> 9 (highest), row 2 -> 8, row 3 -> 7, row 4 -> 6, row 5 -> 5, row 6 -> 4 (lowest). 


Figure 3 shows the opportunity of student collaboration across diversified schools. Due 
to the competition in REVS-UP application, half of the students came from schools at ranks 8 or 
9. Nonetheless, the network in Figure 3 does include a quarter of the students from below- 
average schools on the last two rows. In addition, the student grouping is not systematically 
skewed toward male or female categories. The balanced network connections represent another 
benefit to support student involvement in the REVS-UP explorations. 


[1], [2] http://boards.str aightdope.com/sdmb/showthread.php ?t=675559 
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Feedback from High School Teachers 

Two high school teachers worked as team members during REVS-UP explorations. 
Although they are unlikely to switch careers to the cybersecurity field, REVS-UP has enriched 
their knowledge to impact student learning in high school. One teacher acknowledged that “I 
benefited professionally from this activity by securing private information and also encouraging 
students who are interested in computers to further their education in computer science.” The 
other teacher also related REVS-UP to high school classroom settings, and indicated that “it 
[REVS-UP] showed me some different ways to use math in my classroom as well as some real 
world connections for my students and the math they are doing in the classroom.” 

After collaboration in the REVS-UP teams, both teachers expressed their satisfaction. 
One teacher reported, 

I really would like to include a lesson on the history of and how a cypher works and are 
created. Also have the students try to break a simple cypher. This would be good for 
group building and problem solving skills. 

The other teacher expected that “Students will leam how to create passwords that are 
unpredictable/guessable and we will crack codes and using the DNA model. Lesson plans [for 
future teaching] are still in the making.” 

Both teachers commended the capacity of learning environment at CSUB. They 
indicated that “CSUB research environment is organized, up to date (new computers) and clean” 
and “CSUB research environment and staff is encouraging and self-motivated.” More 
importantly, they consistently rated CSUB faculty mentors and student assistants in a “very 
supportive” category. They also liked the involvement of high school students. One teacher 
indicated that “Working with the kids” was the part he liked most about REVS-UP. Another 
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teacher noted the entry-level engagement of REVS-UP, i.e., “This activity educated an individual 
who knew nothing about the internet.” Hence, REVS-UP not only offered group-based learning 
experiences, but also supported professional development for in-service teachers. As one teacher 
summarized, “This activity opened my eyes to awareness of the internet and information that can 
be hacked into by a number of tactics.” 

In summary, MIAEO continues its summer-bridge program in information security 
through a stable REVS-UP platform. Like in Year 1, hands-on investigations have been led by 
two experienced professors and supported by two university student assistants. The education 
experiences are extended to two K-12 teachers and 18 high school students. Completion of 
professor research agenda is demonstrated by five research presentations in network security and 
cryptography. With more emphases on undergraduate research, student assistants have 
demonstrated their subject competency, completed bachelor degrees, and won several 
recognitions through result disseminations. As a result, the program operation in Year 2 has 
completely addressed two recommendations from Year 1 Evaluation Report (Wang, 2013). 
College Curriculum Development 

Two new factors are embedded in the curriculum development this year. One of them 
hinges on CSUB quarter-to-semester (Q2S) transition which requires an extensive review of all 
programs, including the ones that extend interdisciplinary supports for MIAEO. The other factor 
is reflected by personnel assignments. Professor Danforth, the MIAEO Director, has assumed 
the chair position in Department of Computer and Electrical Engineering and Computer Science 
(CEE/CS). The other professor. Dr. Charles Lam, has moved up to serve as the Interim 
Associate Dean at School of Natural Sciences, Mathematics, and Engineering (NSME). Both 
administrative responsibilities are time-consuming, particularly during the Q2S transition. 
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Despite the unexpected institutional changes, curriculum development has proceeded at a 
full speed to support a semester-based Information Security concentration. As was indicated in 
the program description, “The Information Security track is intended for students who wish to 
pursue a career in information assurance and security, either with government agencies or with 
industry.” 111 Adjustments have been made at the Intended Curriculum (IC1) level to add two new 
core courses in computer science (ACM/IEEE CS2013) and scale back on the number of GINS 
courses to 4 to meet the upper-division course requirement. 

In addition, program development has entered an Implemented Curriculum (IC2) stage, 
and CMPS 445 Data Mining & Visualization was taught in Winter 2014 to a class of 14 students. 
The class size is still considered healthy for a 400-level CMPS course in the undergraduate 
program. This class meets four days a week for both lecture and lab components to support 
knowledge discovery in and visualization of large datasets. Students are exposed to data mining 
concepts, information retrieval, analysis methods, storage systems (e.g., data warehouses and 
text-based information systems), visualization, implementation and applications. 121 The first two 
lab assignments also include Ethics Across the Curriculum (EAC) components to enhance 
multidisciplinary approaches in student research. 

Outcomes of the course offering are documented by student feedback to assess features 
of the Attained Curriculum (AC). Nine students provided responses, and eight of them would 
recommend this course. The AC analyses further identified needs for revising homework 
assignments and some laboratory assignments. Because Python did not work properly on the 
computer systems, a virtual machine with fully functioning software will be created for the next 


[1] http://www.cs.csub.edu/abet/semester/submitted/CMPS%20Catalog%20Copy%20- 
%20Track%20Changes%20version.docx 

[2] http://www.cs.csub.edu/~melissa/courses.php?course=cs445&quarter=wl4&category=info 


19 


offering of this course. 

In conclusion, MIAEO stays on a right track for curriculum development according to a 
thorough examination of the Intended Curriculum, Implemented Curriculum, and Attained 
Curriculum. Plans have been developed from the curriculum analyses to improve course 
assignments and virtual machine adoption for CMPS 445 in the future. 

Community Education Events 

The last recommendation from Year 1 Evaluation Report was on expanding community 
outreach approaches. In response, MIAEO hosted Information Security Professional Speakers 
(ISPS) on April 23, 2014 (Appendix 2) and sponsored a dissemination workshop on August 1, 
2014. Similar to last year, attendee responses were gathered from the ISPS event. Most 
respondents “agreed” or “strongly agreed” that the presentation met their expectations. 

Figure 4: Opinion on Whether This Presentation Met Attendee’s Expectation 



The Wilcoxon-Mann-Whitney test is employed to analyze the response difference 
between adjacent years. This non-parametric test is analog to the independent sample t test and 
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can be used when the response variable is measured on an ordinal scale. The result indicates 
significant improvement in attendee satisfaction over last year (Z=1.69, p=.0454). 

The ongoing improvement is also illustrated by attendee responses to another item on a 
Likert scale, “You learned helpful information at this event” (see Figure 5) The Wilcoxon- 
Mann- Whitney test reconfirms significant improvement in attendee opinions over last year 
(Z=3.32, p=. 0004). 

Figure 5: Acquisition of Helpful Information from ISPS 



Survey responses in Figure 6 indicate that more attendees would attend similar events in 
the future, which supports sustainability of ISPS as an event of community interest. 

Figure 6: Attendees Would Attend Similar Events in the Future 
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As a new component, the dissemination workshop was designed to distribute REVS-UP 
information to the general public. Twenty-two community members participated in this event. 
The MIAEO Director indicated that most attendees were K-12 teachers, an indispensable 
component for the REVS-UP team building. 

In summary, MIAEO incorporated a dissemination workshop in its Year 2 operation. For 
the outreach effort through ISPS, the results demonstrated significant improvement of attendee 
satisfaction over last year. Accompanied with the other components of REVS-UP exploration 
and curriculum development, MIAEO has completely addressed all recommendation from the 
last evaluation report (Wang, 2013). 


New Recommendations 

At the time of awarding the MIAEO grant, the Q2S transition was not envisioned in the 
original proposal, nor did Professors Danforth and Lam expect to assume these major leadership 
positions in the CEE/CS Department and School of NSME. Despite these unexpected 
developments, MIAEO is running more smoothly than last year. One important factor is the 
maturity of student assistants to support MIAEO activities. 

As both student assistants headed toward graduation this year, two new student assistants 
have been identified, one started working on research projects since 2014 May and the other 
joined the team this month. To sustain the program success, the first recommendation is to 
enhance the mentorship for new student assistants in next year. 

The original faculty team for MIAEO includes three professors, Drs. Danforth, Lam, and 
Martinez. While this report covers REVS-UP, Curriculum Development , and Community 
Outreach components, the evaluator expects the latest update on a second community outreach 
talk and its associated evening course for community outreach. Hence, the second 
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recommendation is to expand the existing mechanism of data gathering to reflect 
effectiveness of these community outreach events. 

ISPS has been offered twice in the first two years. Some presenters were commended 
highly by the attendees. For instance, multiple respondents praised a presenter named “Leif’ or 
“Leaf’. Another respondent indicated that “It’s all in the presenters. ... I as well as a few others 
got some tired eyes on the second presentation. Repetitious, monotone, standstill presenters are 
tough to hear.” To improve ISPS effectiveness, the third recommendation is to enlarge the 
candidate pool for presenter selection and invite the ones who are experienced in public 
presentations. 
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Appendix 1: Poster Presentations of Five IA Research Projects 

1. Network Scanning 


Department 
of CEE/ 
Computer 
Science 

Network Scanning 

Beau Bikakis, Guang Jin Liu, Tue Le 
Advisor: Dr. Melissa Danforth Assistant: Alfonso Puga 

@ 

esu 

liakcrsfidd 

Background 

Network Scanninq Proqrams 

/ 


How does the Internet work? 

Tho tntomet » tho interaction of many connected devices across the 
world It rs a combination of hardware (computers, routers, servers, etc ) 
and protocols (a common set of rules for all internet devices to follow I An 
devices on the Internet can speak to each other because they an follow 
tho same set of protocol* (TCP/IP) 

When a device 4 connected to tho iniemet through a local area 
network it is given a special IP address lo di«orent<afc d from all the other 
devices that are also connected to the internet The IP address has two 
mam functions network identification and location addressing 

CSent computers send requosts to an Internet server m order to open 
web pages, watch videos etc The request goes through a senes of 
routers to reach tho Internet server, the server searches its database tor 
data that matches the request and then sends back its response Tho 
dient is the input and the server is the output 

How IK# InOfflO Work* 


Wireshark 


- Scans network traffic. 

- Analyzes packets (data that 

can be transferred over a network) i 

- Filters through packets to find - 
specific entena 

• is graphics- based instead of 
terminal-based. 

- Monitor data coming in and out of 
your network 


TCPdump 



- Acts similar to Wireshark but has 
a different interface 

- Terminal-based 

- You type in command for which 
filter you want to apply. 


Nmap 


What is Network Scanning? 

Network scanning is the use of scanning software to idonbfy servers, 
devices, and dents on the network It can be done by administrators 
looting to secure their network or hackers looking to exploit vulnerabilities 

How does Network Scanning work? 

By usmg tho correct programs and knowing how to use them, scanrvng 
networks can become quiot easy Those programs can scan network 
vutoorabwtios. capture packotv and dotoct naxrvng threats Koop this in 
rrvnd when you are on tho Irv.ernot as anyone can scan your web activity to 
quickly fnd unencrypted passwords and determine what websites you 
have been on. 


■ Shows all hosts and 
devices connected to your 
network 

Creates a virtual 'map' 

■ Can determine tho 
operating system of the 
target 

• Discovers hosts by sending 
a packet and analyzing the 
response 



Snort 



- Detect the intrusion of 
computers from 
outside world 

- Detect tho intrusion in 
and out from the 
computer. 

- Can choose between 
different types of 
alerts and actions for 
different inputs 

- Has three settings 
sniffer, packet logger, 
and Network intrusion 
detection. 


Chevron 



Network 

- Network is a subnet of knks that got data to destination IP 

- A Network is two or more computers linked together in order to share 


- Data is organized «nto packets 

- There are senes of hoadors for tho different tasks within tho packet 


I **** IhnerfMnwrfcS)' 


WWCTTII 1~ 


Network Vulnerabilities 


- Bugs m server programs, client programs, websites or web 


• Mistake in program code 

• Exploitable feature of program 

• Maboouscode 

- No default encryption that protects from packet sniffing 

- No verification of addrosses and infrastructure sorvers 

Additional Info. 

- Most programs shown here are lola'Jy free to download 

- It >s illegal to scan other people's network without proper 

- Permission is needed to scan other people's notwork 

References 

- Wireshark http //www wireshark org/ 

- TCPdump http //www tepdump org 

- Nmap http://nmap.org/ 

- Snort https //www snort org/ 

' IP protocol https . /WWW «ctf orgrfc/rfc791 txt 
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2. Bitcoin and the SHA-256 Hashing Function 


I Bakersfield E* * M ® ■ • 

U'^Biu Qbitcom 

© 


Chevron 


And The SHA-256 Hashing Function 

Taylor Redden, Chelsea Dalton, Jordan Lacava, Remy Verduzco, Austin Burgeis 

Advisor: Dr. Charles Lam Assistant: Frank Madrid 


What is Bitcoin? 


Transactions 


Bitcoin is a form of cryptocurrency created in 2009 by an unknown 
person who went by the alias Satoshi Nakamoto It is basically 
internet money, but instead of being controlled by an organization 
like Paypal, Bitcom does not have any middlemen ' 

Obtaining a Bitcoin 

8rtcoms may be obtained by buying, exchanging, selling, or earn them 
through miring Mining is the process that allows tor Bitcoms to be 
brought into the market, where they may then be sold They can be 
purchased through Bitcom ATMs or from other setters • 1 

Sfe Bitcoin Benefits 

• Mobde payments made easy 

• Security and control over your money 

• Works everywhere, anytime 

• Fast international payments 

• Zero or low fees 

• Protect your identity 

Bitcoin Drawbacks ^ 

• Securing your wallet 

• Bitcoin price is volatile 

• Bitcom payments are irreversible 

• Bitcom is anonymous 

• Instant transactions are less secure 

• Bitcom is stti experimental 

• Government taxes and regulations •** 


Worth 



N - 


When you make a transaction, the data is sent to every node in the network 
where it updates the transaction tree, which basically verifies that you have 
enough Bitcoms to spend Everyone can see everyone elseS account 
balance and transactions, so there is no discrepancy with exchanges 

These transactions are then 


1.20 & 




6 \ p 


pi 


Mining / 


ordered m the block cham 
Each of the blocks contain 
information on the inputs 
and outputs c i a transaction 
and also the name of the 
previous block in order to 
imk all the blocks. The 
blocks of the block chain 
are created through a 
process called mining 



Bitcom transactions are secured by sBk-2S6. This security | 
encrypt transactions addresses. 
tt>e only one that can read the information $ha stand 
Algorithm" and the 256-bt model w •, created by the N 
information. M 

When you run the hashing function it wi* 
hash tor the word heW is: 


Changing a single character in the or>:; sal s 
different string The hash for the word jekd i^^ 
18/c9txeeb919elb3e6d20ta50ecab(7d9d5(. 


Mmng is used to expand the block cham as ww: as bring new Means to 
the market When a user creates a new block, they receive a mmmg reward 
as well as any transaction fees Anyone on the network can propose a new 
block, but it must meet special conditions The SHA-256 hashing function is 
used to meet these conditions 

For better results, experienced miners invest in higher computing power 
found in more cutting-edge technology But even with the most high tech 
gear, the competition is too stiff for any one person to profit from, so 
people join mining pools. !1C| 



Usmg the data we were aWe to create the form 
(where x is the number of zeros;. This can be y 
may take a computer to solve different hash fi 
predict that at 7 zeros. <t takes about llA 
answer The current mining 0, faculty has^P 
woo'd take our system about 210.000 w 
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3. Integer Factorization Problem: An Attack on the RSA Public-Key Encryption Scheme 


Department 

of 

Mathematics 


Introduction: 


Integer Factorization Problem 
An Attack on the RSA Public-Key Encryption 
Scheme 

Maria Chumpitaz. Chad Cole. Haley Hamer. Alisa Iduma. Lucero Morales 

Advisor: Dr. Charles Lam Assistant: Frank Madrid 

Pollard's Rho Algorithm 



RSA i* ono o f the encryption systems that depend upon the complexly of the mtogor 
factorization problem to proven! an urtwelcomed thrd party from docod.nq :ho 
message The function of thto system involves a pubkekey (/ir». rrbemg a product o' 
two Urge pome number* that are not ea*4y factored and r being a random number 
between 1 and •t’n and a private key (d). whch can tie tound using the formula 
rxJ : l(m»rf<<bnl) For example. Ake* create* a puMc end pnvate hey, then she 
make* the public key available to anyone who wants to send her a message Once 
Alee gets an encrypted message back, onfy she is able to decrypt it wflh the pnvate 
koy However ■» an eavesdropper Eve is ablo to factor n then she could possbtytod 
the private key </0y using tho prov-ou-s tormula then plug d into *n uh/n: m 

bomg the decrypted message and t bang the encrypted message 



Background: 

Throe posvote ways to break tho RSA algorithm are Tnal Ovivon. PoKard'S Rho 
Algorithm, and Potard* p-1 Factoring Algorithm Tnal dnnsron factors smaser 
numbers (less than one ntfkon) and does not work well w4h serm prmos because 
they can be tarty largo numbers The Poiard Rho Algorithm allows the dfvrsion 
process to be mjch docker and allows tho posvt*kty of fuvsog the two number* that 
dendo into a compovto number Pollard s p-1 Factoring Algorithm finds pnmo factors 
pbydeakngw<Chp-1 Each of tho algorithms are 0*10014 in certan casos 


Method & Data: 



Trial Division 



TWefs) 

0067 


on(s) 

000067 







Pollards p-1 Factoring AJgonthm « effective, but not lo the eirtenl that the Rho 
Algorithm is because ot the complexity of the calculating process that this algorithm 
undergoes AH of tho numbers tested m the data above were successfully factored, 
and longer numbers <*d result to a longer run timo Based on the data collected ns 
the (mu get larger, the time a w« i take to brook tho numbers wit grow at a steadty 
incioavng rn!o At tho bogmn-ng it is rnasenahy slow however, as tho number 
grows, ttvs algorithm becomes more useful as t is intended lor a certan range of 
numbers 



Conclusion: 



• i- ; 

tor large numbers Pokards p-1 Factoring Algorithm was moderatory better than trial 
division however as the numbers became even larger, a. too took more bme 
Ovoral. Pollard s Rho Algorithm was tho fastest and most ohod/ve method out of tho 
threo tested Even though the algorithm was able lo lac lor reasonably largo numbers 
tnero it a potot where the value of ncotAd become so large that no method could 
factor tho number fast onough to crack the code tor Eve before it becomes useless 


In order to factor numbers, thore are easier ways lo factor than just dnndng by the 
smater pnmo numbers such as 2. 3, and 5 Ike tnal drraron Once the numbers begin 
to get larger the becomes a lengthy and tmo oonsomng process Tho Po6erd Rho 
Algonihm n ows tho dmson process to be fitoeh gmcker and aUows tho posvWdy of 
fln*ng two numbers that can divide nto the numbor Based on tho data obtained, tho 
time increased as the numbors became larger If one wore to tost further, one would 
expect the drflorenee m time, between two consecutive numbers to be even more 
drastic 

Pollard s p-1 Factoring Algorithm 



Future Work: 

Aside from the algorithms researched in this protect, thore are many (Merant 
methods that aro more compton that can be used to servo the nteger factorization 
problem taster These indude but are not imrtod to aupt* curve factonng random 
square factonng methods, quadratic sevo factonng. and number field sieve fectcrmg 
Random squaro factoring method finds the factors by frying the congruence of 
squared moduto of n however it has not been completely developed The quadratic 
sieve factoring method to one of the faster ways to factor and « smiiar to the random 
square factoring method except it roqurfot large amounts of momory The 
recommended vzo for RSA .s 4046- bis, basic unit of information, because it would 
take an oavesdropper years to crack Therefore people with odequato resources 


0327 0000343 


coukl further explore th* method 





Trial dms*on worked oxtremefy fast for very smtl numbers tt depends on the 
f actorization of the senates! prunes, and 4 divides the number by the next prime unti 
it works and is ‘Ufy factored Accord ng to tho data gathered, the t™ grow* 
exponentially as the Oris increased So with larger numbers the bme token wJ 
in cr e ase greatly between two consecutive Ms 



References: 

1 •Courses Smart! Sankaranarayanon • A Owe* Tutorial on PoUnfi Rho Algorithm 
l! Up nd Web 211 Ju*y 2014 

7 -Eavesdrop Stock Uutfnlcn* • F.netdrop SKC k Ubsfrafcns Np.nd Web 04 
Aug 2014 

3 Meeezos A J Van Oorschot PoiA C . and Scott A Vontsone Mandboo* of 
Appsed Cryptography Boca Raton CRC. 1997 Pmt 

4 'P<!i.ros Of ' A YoungBoy Working On A Computet Np . nd Web 04 Aug 
2014 

5 •Record 232-dvj-t Number from Cryptography Challenge Factored I Observations 

Soontfte American Btog Network ■ Sdont*c Amencjn RSS Np.nd 

Web 04 Aug 2014 

6 *RSA Key Sues 2048 or 40% Bits?* KMonw N p . 18 June 2013 Web 05 Aug 
2014 

7 "Stock Photography and Stock Footage * Ctperr ot Two Women Taking through 
Trt Cans JbaOe/l Np.nd Web 04 Aug 2014 

8 •incromentando La Productivxleo Utfezando MA°c«i*s Monitor** * 

Incremonumdo La Productrvxdad Np.nd Web 06 Aug 2014 
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4. How Secure is Your Password? GPU Password Cracking 


Department 
of CEE/ 
Computer 
Science 


How Secure is your Password? 

GPU Password Cracking 

Alwin Villamor, Cassandra Sanchez, & Ebony Turner 

Advisor: Or. Melissa Danforth Assistant: Alfonso Puga 



What are GPUs? 

GPU* .vo single-cfvp processors 
primarily used to manage andi'or 
provide the performance o> video 
and graphics 

Why arc GPUs used for 
cracking passwords? 

GPU* aro excellent at processing 
mathematical calculations and it has hundreds if not thousands of core* that 
can bo used to compute multiple mathematical functions simultaneously 
Basically, it is much faster to use a GPU for password cracking 

How password cracking works? 

In our world of technology, thoro aro two ways passwords are cracked 
Either hackers try to crack your password by uong smpie logic or tools 


Time Trials 

NVIDIA 


MD5 SHA1 SMA2S6 SHA512 


Dictionary Attack 
(large xket) 

3 mins 

5 nvns 

8 ran* 

35 mats 

Combo Attack 
(largo dd' 

common passwords dirt) 

3 days 
10 hr* 

7 days 
4 hrs 

IS days 
3 hrs 

42mms 

a 6 

(Word*Pattern) 

2yr* 

28 day* 

4 yrs 
319 days 

9 y»s 
360 days 

>10 yrs 

a 7 

(Pattem*Word) 

f r 

347 days 

4 yr» 

359 days 

> lOyrs 

>10 yrs 


Methods: 

Simple Logic 


Toots 


• '• • t 


• Diciionanos 


• Important Years' Numbers • Rule* 


Simple logc hackers, may be a dose fnend or an associate, use personal* 
public information already know about you to guess your password 
Dictionaries attacks scan through lets of preset words, phrases, and 
common passwords 

Brulo-torco attack* use evory possible combvwtion o» tetters, digits, and 
symbols to decrypt passwords 


Example?: 


Using the multiple hash types, such as MD5. SHA1, SHA256. & 
SHA512. we calculated the times differences between attacks and 
GPUs- NVIDIA & ATI/AMD 


Attacks: 

• -a 0 (one dictionary attack) 

• -a 1 (two dictionary attacks) 

• -a 3 (bruto force attack) 

• -a 6 (Word ♦ Pattern attack) 

• -a 7 (Pattern ♦ Word) 

Rules 

• ?u . uppercase 

• ?1 lowercase 

• ?s symbols 

• ?d : digits 

• ?a all 


Dictionaries: 

• large.dict (7070 words) 

• example diet (129988 words) 

• common passwords diet 
(3548 words) 

• english tower diet 
(439833 words) 

• combo2 diet (9025 words) 

• combo3.dict (857375 words) 


Combinations 

Possible 

Passwords 


ATI/ AMD 



Password has 6 iQxlflxlflxlflxlQxlfl 

1.000.000 


M05 

SHA1 

SHA256 

SHA512 

digits 


Dictionary Attack 

10 secs 

16 secs 

28 secs 

39 secs 

Password has6 32 * 32x22x22x22*32 

symbols 

1.073.741.824 

(large dd) 







Combo Attack 

41 mms 

1 hr 

3 hr* 

11 hrs 

Password has 6 26 x 2S * 25 * 26 * 2S * 2§ 

308,915.776 

(largo dd 


39 mms 

45 mins 

42 mm 

letters (lowercase) 


common .passwords dd) 
a 6 

11 days 

5 yrs 

28 days 

265 day* 

Password has 6 94x94 x94x9(4x94x94 

characters 

689,869.781.056 

(Word* Pattern) 

14 hrs 

145 days 

5hrs 

2hrs 

(lowercase, 


a 7 

8 day* 

22 days 

82 days 

132 days 

uppercase, digits, & 


(Pattem»WonJ> 

20 hrs 

9 hrs 

22 hr* 




Tips 

What makes a weak 
password? 

• Is typeady 8 characters 

or less 

• ■ (.1 ■ ! 

pattern* 

• is relevant to 



previous password 
• Contains some pubic. 1 
personal information 
about yourself 
Ex Special Oates 
Names 
etc 


What makes a strong password ? 

* Is longer than 8 characters 

•Hi > ■ ' : • '■ .-.I .1 1 

phrases 

personal or publicly 


14 Passwords 
Decrypted 

example dd 

•CO rtnt 


42 Total Passwords 

OcmVooOo •loOpMsm 

nryurdi -MXait.il 

tr vBKMro * •«ax06Mi*U'dWWf 

pandora •AWZhVIO 



combo3 dict' example dd 

■Jteqesrty 

combo2 diet/ english lower dd 

•flCVicotiona 

english tower.dict/ large.dict 


i*.7STa2rbp 

HYOCOaddy 

loLotoLot 

SiaOOnach 

LdCk.lr* 7CMn 

Ab.wsr 

OOJ.O 


• XJJrtroc* 

• G 0 a 0 7X 

• oiwrwuKHOftCAMASTl 

•x.y*©* 

•auyhrraMSWSMononA 

•|TW>S«Mo 

• t*7HUS«XM72UL 



•rouKeejKwv, 


common passwords dict 


iXJTMxO 
Fet.U BU.UMC* 


References 

Hashcat nop hi 


GPU 

Password bps: nap 



Methods for password cracking > 
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5. Social Engineering: Hacking the Human Element 


Social Engineering: 
Hacking the Human Element 

Mason Pawsey, Sonia Patino, Marissa Campos, Stephanie Acosta 

Advisor: Dr. Melissa Danforth Assistant: Alfonso Puga 


Chevron 




Introduction 


Today's companies must perform transactions and processes that 
Involve handling data. That data can be company information, 
personal data, logistic information, etc. This information. If sold to 
the right person, can yield a massive profit for malicious agents. 
This provides motive tor hackers to target the company. Hacking Is 
the breaching of security to obtain Information or some sort of good 
for personal gain. Companies are vory aware of the problem that 
hacking poses, however, they often overlook a more simple 
approach for the hacker to compromise a company, social 
engineering. 


What is social engineering? 


A THFYTAKF Social engineering is a tool widely 

nt L. |q U ' C used and often overlooked by companies. It 
[■I exploits I ho weakest link in 

|H| #n V security protocol, the human element. By 

preying on human nature, human tendencies. 
TURN IT etc, hackers get useful personal/professional 
|| AGAINST US. information that's then used to breach 
security. 


Purpose 

CPWW \ 

:* «i». 1 

I m f 

ff .u fu If ttfu 

2 - 

Techniques 


On a daily basis, thousands of 
attacks are launched against large 
and small companies to gather 
pnvato and usoful information of 
consumers around tho world 

Our purpose is to explore the 
methods ot attackers, to help 
protect pnvate information and 
educate consumers like you and I. 


- Information Gathering 
• Communication Modeling 

- Pre-texting 

- Elicitation Know thyself, know thy enemy. A thousand 

battles, a thousand victories. " 

- Sun Tzu 

Information Gathering 

Gathering information about your target is the most integral part of social 
engineering. Private Information, public information, any kind of 
information Is galhored to create a foundation for the social engineering 
engagement. 


Communication Modeling 

The way a social engineer communicates Is vital to their Informatton 
gathering Gaining someone's trust depends on both their verbal and non 
verbal means, such as speech, tone of voice, body language, and touch. 
Because ol the human nolure, approaching someone in the right way will 
usually result In a polite and friei 


Berlos's SMCR Model of communication 


p 

R 

E 

V 


Information Gathering 


Documents that contain personal information and company 
information should be disposed in a safe way. such as shredding 
and using secure disposal personnel to keep the information 
away from dumpster divers. 

Communication Modelinq/Pre-textinq/Elicitation 





*■ 


_ Just because someone approaches you In a 

it it Pest lo 



ft ^ 


•JmT] 



that they are trustworthy While It is not 

information it 

IimvIh 


lluniim 




Altitude! 

those who try to stnke up conversation, it's 

give 



1 CM— m 


Tovik*| 



-P infiltrations You should not access your 

personal email through a company's network. 

should Inform 
their personnel 

Seoul 

System 




S~.Uu., 


Sot let 

Syttim 

and company information should be 
1 discussed with authorised personnel only 

of what 
information is 

Cukun 


Cod* 


T ••*"'» 


Cidture 


acceptable to 
divulge 



Elicitation 


Pre-texting 

Prc-toxtlng is a false motive If 
creating a new identity. Just like Information 
gathering and communication modeling, 
pre-texting It a technique used by social 
ongmeers to persuade their target to release 
information or perform some action. 

For example, a social engineer could 
pretend lo be an employee ol a big company 
and use the information gathering technique 
to compromise their security and 
possibly have physical access to their 
computers and networks 


N 


91% of all passwords are one of the 1.000 
most common 


Conclusion 


Companies spend outrageous amounts of money a year ensuring their security 
systems stay secure lo protect their vendors end customers Unfortunately, they 
often overlook the most important - and least secure - component o4 any system 
the human element. Social ong leering aims to esplolt the lack ot locus and 
diligence ot employees with critical Information that could lead to a breach in 
security. During our roseorch. we explored the techniques and strategies used to 
compromise systems and what corporations can do to make mure their people and 
their sensitive date stays safe end secure 


How many of your passwords are based around YOUR personal 
information? Tip: Use upperAower case letters, numbers and symbols t< 
chances ot your password being guessed 


This Is a non-threatening, easy to disguise and effective technique 
that can be conducted In person, over the phone, or In writing. 
Elicitors may collect information about you or colleagues that could 
facilitate future targeting attempts. A trained ol 
exploils certain human or cultural 
predispositions. This includes: a tendency t< 
answer truthfully when asked an “honest" 
question, a desire to be polite and helpful, a 
tendency to gossip, and a tendency to 
correct others. 
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Appendix 2: ISPS Speaker Event 


“A Day in the Life of an 
Information Security Professional” 


Speakers: Victoria Hurtado — Kern Health Systems 

Leif Davisson — Kern Federal Credit Union 


Victoria Hurtado grew up in San Jose, California. She received her Bachelor’s in Business Administration and 
Marketing Management from California Polytechnic State University in San Luis Obispo and later received her 
Master’s degree in Business Management from University of Phoenix. Victoria relocated to Bakersfield to join 
the KHS team in late 2011. Victoria is responsible for the Information Technology Operations at Kem Health 
Systems. Victoria provides technical leadership, vision, and day to day support for IT Operations. She is 
responsible for all of information systems and networking, security, and infrastructure within the organization. 
Although the main areas of discipline are infrastructure related, she plays an active role in Project Management, 
Technical Analytics, and Software Development. At KHS, they follow an Agile Methodology for software 
development lifecycle that is used to build workflows within the organization for process improvement 


Leif Davisson is a native of Bakersfield and has followed emerging technology throughout his career and work. 
Leif has worked as a Network Specialist at Kem Federal Credit Union since 2007. He fosters innovation and 
security awareness for staff and members. Prior to employment at Kern FCU Leif worked for the Kern County 
Treasurer and Sheriff s Department following his first job working at the CSUB ITA Staff Helpdesk. Leif earned 
his Degree in Business Administration (2010) with a focus in Management Information Systems. Leif continued 
his technical education and in 2012 passed both Networks and Security+. Leif is an active member in the Kem 
Information Systems Security Association. In his spare time he enjoys membership in the Kern County Scottish 
and Irish Societies where he provides technical advice and enjoys others with similar interests. 



Partial support for this event was 
provided by the National Science 
Foundation’s Federal Cyber Service: 
Scholarship for Service (SFS) program 
under Award No. 1241636. 


Any opinions, findings, and conclusions 
or recommendations expressed in this 
event are those of the speakers and do 
not necessarily reflect the views of the 
National Science Foundation. 
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